[SSSD] [sssd PR#705][synchronized] KCM: Add configurable quotas
URL: https://github.com/SSSD/sssd/pull/705
Author: jhrozek
Title: #705: KCM: Add configurable quotas
Action: synchronized
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/705/head:pr705
git checkout pr705
From dc7f085c6e81f431f313593e565b05400e45819d Mon Sep 17 00:00:00 2001
From: Jakub Hrozek
Date: Fri, 5 Oct 2018 13:17:14 +0200
Subject: [PATCH 1/8] MAN: Get rid of sssd-secrets reference
Related:
https://pagure.io/SSSD/sssd/issue/3685
There were some stray references to the secrets responder in the
sssd-kcm manual page.
---
src/man/sssd-kcm.8.xml | 8 +++-
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/src/man/sssd-kcm.8.xml b/src/man/sssd-kcm.8.xml
index fff8b0a16d..90b9ad09c2 100644
--- a/src/man/sssd-kcm.8.xml
+++ b/src/man/sssd-kcm.8.xml
@@ -58,11 +58,9 @@
-the SSSD implementation stores the ccaches in the SSSD
-
-sssd-secrets5
-
-secrets store, allowing the ccaches to survive KCM server restarts or machine reboots.
+the SSSD implementation stores the ccaches in a database,
+typically located at /var/lib/sss/secrets
+allowing the ccaches to survive KCM server restarts or machine reboots.
From 51a66363814b79139a94184147d6a7a9dc6e377e Mon Sep 17 00:00:00 2001
From: Jakub Hrozek
Date: Fri, 30 Nov 2018 13:15:58 +0100
Subject: [PATCH 2/8] MAN: Document that it is enough to systemctl restart
sssd-kcm.service lately
Related:
https://pagure.io/SSSD/sssd/issue/3862
We forgot to amend the man page after implementing the sssd-kcm service
reload.
---
src/man/sssd-kcm.8.xml | 17 +++--
1 file changed, 11 insertions(+), 6 deletions(-)
diff --git a/src/man/sssd-kcm.8.xml b/src/man/sssd-kcm.8.xml
index 90b9ad09c2..4e4aaa38ea 100644
--- a/src/man/sssd-kcm.8.xml
+++ b/src/man/sssd-kcm.8.xml
@@ -162,12 +162,17 @@ systemctl restart sssd-kcm.service
CONFIGURATION OPTIONS
The KCM service is configured in the kcm
-section of the sssd.conf file. Please note that currently,
-is it not sufficient to restart the sssd-kcm service, because
-the sssd configuration is only parsed and read to an internal
-configuration database by the sssd service. Therefore you
-must restart the sssd service if you change anything in the
-kcm section of sssd.conf.
+section of the sssd.conf file. Please note that because
+the KCM service is typically socket-activated, it is
+enough to just restart the sssd-kcm service
+after changing options in the kcm section
+of sssd.conf:
+
+systemctl restart sssd-kcm.service
+
+
+
+The KCM service is configured in the kcm
For a detailed syntax reference, refer to the FILE FORMAT section of the
sssd.conf
From b9704244a03974611cb6799e674769af932c311e Mon Sep 17 00:00:00 2001
From: Jakub Hrozek
Date: Mon, 26 Nov 2018 13:44:08 +0100
Subject: [PATCH 3/8] SECRETS: Use different option names from secrets and KCM
for quota options
Related:
https://pagure.io/SSSD/sssd/issue/3386
With the separate secrets responder, the quotas for the /secrets and
/kcm hives were configurable in a sub-section of the [secrets] sssd.conf
section using the same option -- the /secrets vs. /kcm distinction was
made using the subsection name.
With the standalone KCM responder writing directly to the database, it
makes sense to have options with more descriptive names better suitable
for the KCM usage. For that we need the options for secrets quotas and
kcm quotas to be named differently.
For now, the patch only passes the option name to sss_sec_get_quota()
and sss_sec_get_hive_config() together with the default value in an
instance of a new structure sss_sec_quota_opt. The secrets responder
still uses the same option names for backwards compatibility.
---
src/responder/secrets/secsrv.c | 70 ++
src/util/secrets/config.c | 40 +--
src/util/secrets/secrets.h | 21 ++
3 files changed, 88 insertions(+), 43 deletions(-)
diff --git a/src/responder/secrets/secsrv.c b/src/responder/secrets/secsrv.c
index 2de93dedc5..e783e231d3 100644
--- a/src/responder/secrets/secsrv.c
+++ b/src/responder/secrets/secsrv.c
@@ -47,6 +47,39 @@ static void adjust_global_quota(struct sec_ctx *sctx,
static int sec_get_config(struct sec_ctx *sctx)
{
int ret;
+struct sss_sec_quota_opt dfl_sec_nest_level = {
+.opt_name = CONFDB_SEC_CONTAINERS_NEST_LEVEL,
+.default_value = DEFAULT_SEC_CONTAINERS_NEST_LEVEL,
+};
+st
[SSSD] [sssd PR#693][synchronized] SYSDB: Fall back to the MPG result of getgrgid search if the non-MPG search for override doesn't match anything
URL: https://github.com/SSSD/sssd/pull/693
Author: jhrozek
Title: #693: SYSDB: Fall back to the MPG result of getgrgid search if the
non-MPG search for override doesn't match anything
Action: synchronized
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/693/head:pr693
git checkout pr693
From 33aa422e4a88dd3d0297479d8832d3dfdffd4b87 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek
Date: Wed, 7 Nov 2018 13:26:59 +0100
Subject: [PATCH] SYSDB: Fall back to the MPG result of getgrgid search if the
non-MPG search for override doesn't match anything
---
src/db/sysdb_search.c | 14 ++
1 file changed, 14 insertions(+)
diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c
index 43341d4462..26f3b018e7 100644
--- a/src/db/sysdb_search.c
+++ b/src/db/sysdb_search.c
@@ -1088,6 +1088,7 @@ int sysdb_getgrgid_attrs(TALLOC_CTX *mem_ctx,
const char *fmt_filter;
struct ldb_dn *base_dn;
struct ldb_result *res = NULL;
+struct ldb_result *mpg_res = NULL;
int ret;
static const char *default_attrs[] = SYSDB_GRSRC_ATTRS;
const char **attrs = NULL;
@@ -1116,6 +1117,10 @@ int sysdb_getgrgid_attrs(TALLOC_CTX *mem_ctx,
* In case those are not the same, we're dealing with an
* override and in order to return the proper overridden group
* we must use the very same search used by a non-mpg domain
+ * to make sure that if the GID points to a group, it will
+ * be resolved. But we must also make sure to fall back
+ * to using the MPG result if the GID does not resolve
+ * to a group
*/
fmt_filter = SYSDB_GRGID_MPG_FILTER;
base_dn = sysdb_domain_dn(tmp_ctx, domain);
@@ -1138,6 +1143,7 @@ int sysdb_getgrgid_attrs(TALLOC_CTX *mem_ctx,
if (ul_originalad_gid != 0 && ul_originalad_gid != ul_gid) {
fmt_filter = SYSDB_GRGID_FILTER;
base_dn = sysdb_group_base_dn(tmp_ctx, domain);
+mpg_res = res;
res = NULL;
}
}
@@ -1162,6 +1168,14 @@ int sysdb_getgrgid_attrs(TALLOC_CTX *mem_ctx,
}
}
+if (mpg_res != NULL && mpg_res->count > 0
+&& (res == NULL || res->count == 0)) {
+/* The overriden group does not resolve to a proper group object,
+ * just use it as a result
+ */
+res = mpg_res;
+}
+
ret = mpg_res_convert(res);
if (ret) {
goto done;
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
[SSSD] [sssd PR#736][synchronized] KCM: Allow representing ccaches with a NULL principal
URL: https://github.com/SSSD/sssd/pull/736
Author: jhrozek
Title: #736: KCM: Allow representing ccaches with a NULL principal
Action: synchronized
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/736/head:pr736
git checkout pr736
From 40595a21d03d2c433665a5e3118627d30fffdc33 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek
Date: Wed, 16 Jan 2019 13:06:10 +0100
Subject: [PATCH 1/3] KCM: Return a valid tevent error code if a request cannot
be created
Previously we were returning whatever was in 'ret' which is wrong,
typically it would have been EOK as returned from a previous successfull
call or even an uninitialized value.
---
src/responder/kcm/kcmsrv_ops.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/responder/kcm/kcmsrv_ops.c b/src/responder/kcm/kcmsrv_ops.c
index 9352909f4c..60b5677e93 100644
--- a/src/responder/kcm/kcmsrv_ops.c
+++ b/src/responder/kcm/kcmsrv_ops.c
@@ -527,7 +527,7 @@ static void kcm_op_initialize_create_step(struct tevent_req *req)
state->op_ctx->client,
state->new_cc);
if (subreq == NULL) {
-tevent_req_error(req, ret);
+tevent_req_error(req, ENOMEM);
return;
}
tevent_req_set_callback(subreq, kcm_op_initialize_cc_create_done, req);
From e8d4d4da59e454d09ff34af73d3ac53e69da822c Mon Sep 17 00:00:00 2001
From: Jakub Hrozek
Date: Wed, 16 Jan 2019 13:02:01 +0100
Subject: [PATCH 2/3] KCM: Allow representing ccaches with a NULL principal
Related:
https://pagure.io/SSSD/sssd/issue/3873
We need to make it possible to create an internal ccache representation
without passing in a principal. The principal is only assigned to the
ccache with krb5_cc_initialize(), but some programs like openssh use the
following sequence of calls:
krb5_cc_new_unique
krb5_cc_switch
krb5_cc_initialize
---
src/responder/kcm/kcmsrv_ccache.c| 18 +++--
src/responder/kcm/kcmsrv_ccache_json.c | 79 ---
src/tests/cmocka/test_kcm_json_marshalling.c | 83 ++--
3 files changed, 153 insertions(+), 27 deletions(-)
diff --git a/src/responder/kcm/kcmsrv_ccache.c b/src/responder/kcm/kcmsrv_ccache.c
index af2bcf8bb5..e7800662ac 100644
--- a/src/responder/kcm/kcmsrv_ccache.c
+++ b/src/responder/kcm/kcmsrv_ccache.c
@@ -68,14 +68,16 @@ errno_t kcm_cc_new(TALLOC_CTX *mem_ctx,
uuid_generate(cc->uuid);
-kret = krb5_copy_principal(k5c, princ, &cc->client);
-if (kret != 0) {
-const char *err_msg = sss_krb5_get_error_message(k5c, kret);
-DEBUG(SSSDBG_OP_FAILURE,
- "krb5_copy_principal failed: [%d][%s]\n", kret, err_msg);
-sss_krb5_free_error_message(k5c, err_msg);
-ret = ERR_INTERNAL;
-goto done;
+if (princ) {
+kret = krb5_copy_principal(k5c, princ, &cc->client);
+if (kret != 0) {
+const char *err_msg = sss_krb5_get_error_message(k5c, kret);
+DEBUG(SSSDBG_OP_FAILURE,
+"krb5_copy_principal failed: [%d][%s]\n", kret, err_msg);
+sss_krb5_free_error_message(k5c, err_msg);
+ret = ERR_INTERNAL;
+goto done;
+}
}
cc->owner.uid = cli_creds_get_uid(owner);
diff --git a/src/responder/kcm/kcmsrv_ccache_json.c b/src/responder/kcm/kcmsrv_ccache_json.c
index 6341530ee5..72e24c4304 100644
--- a/src/responder/kcm/kcmsrv_ccache_json.c
+++ b/src/responder/kcm/kcmsrv_ccache_json.c
@@ -229,6 +229,20 @@ static json_t *princ_to_json(TALLOC_CTX *mem_ctx,
json_error_t error;
char *str_realm_data;
+if (princ == NULL) {
+jprinc = json_pack_ex(&error,
+ JSON_STRICT,
+ "{}");
+if (jprinc == NULL) {
+DEBUG(SSSDBG_CRIT_FAILURE,
+ "Failed to pack JSON princ structure on line %d: %s\n",
+ error.line, error.text);
+return NULL;
+}
+
+return jprinc;
+}
+
components = princ_data_to_json(mem_ctx, princ);
if (components == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE,
@@ -587,13 +601,12 @@ static errno_t json_array_to_krb5_data(TALLOC_CTX *mem_ctx,
return EOK;
}
-static errno_t json_to_princ(TALLOC_CTX *mem_ctx,
- json_t *js_princ,
- krb5_principal *_princ)
+static errno_t json_to_nonempty_princ(TALLOC_CTX *mem_ctx,
+ json_t *js_princ,
+ krb5_principal *_princ)
{
errno_t ret;
json_t *components = NULL;
-int ok;
krb5_principal princ = NULL;
TALLOC_CTX *tmp_ctx = NULL;
char *realm_str;
@@ -601,13 +614,6 @@ static errno_t json_to_princ(TALLOC_CTX *mem_ctx,
size_t comp_count;
json_error_t error;
-ok = json_is_object(js_princ);
-if (!ok) {
-DEBUG(SSSDBG_CRIT_FAILURE, "Json
[SSSD] [sssd PR#558][synchronized] WIP: Add a test for sss_nss_getgrouplist_timeout and fix invalidating the initgroups cache
URL: https://github.com/SSSD/sssd/pull/558
Author: jhrozek
Title: #558: WIP: Add a test for sss_nss_getgrouplist_timeout and fix
invalidating the initgroups cache
Action: synchronized
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/558/head:pr558
git checkout pr558
From 2da0f4a08eb72a924b9c2b9a00f0caeadc352d93 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek
Date: Tue, 24 Apr 2018 16:31:38 +0200
Subject: [PATCH 1/2] NSS: Fix deleting named entries from the initgroup memory
cache
---
src/responder/nss/nss_cmd.c| 8 ++--
src/responder/nss/nss_get_object.c | 17 +++--
2 files changed, 17 insertions(+), 8 deletions(-)
diff --git a/src/responder/nss/nss_cmd.c b/src/responder/nss/nss_cmd.c
index 9ee6ca805e..ef4c75fc4a 100644
--- a/src/responder/nss/nss_cmd.c
+++ b/src/responder/nss/nss_cmd.c
@@ -493,12 +493,16 @@ static errno_t invalidate_cache(struct nss_cmd_ctx *cmd_ctx,
return ret;
}
-memcache_delete_entry(cmd_ctx->nss_ctx, cmd_ctx->nss_ctx->rctx, NULL,
- output_name, 0, memcache_type);
if (memcache_type == SSS_MC_INITGROUPS) {
+memcache_delete_entry(cmd_ctx->nss_ctx, cmd_ctx->nss_ctx->rctx, NULL,
+ result->lookup_name, 0, memcache_type);
+
/* Invalidate the passwd data as well */
memcache_delete_entry(cmd_ctx->nss_ctx, cmd_ctx->nss_ctx->rctx,
result->domain, output_name, 0, SSS_MC_PASSWD);
+} else {
+memcache_delete_entry(cmd_ctx->nss_ctx, cmd_ctx->nss_ctx->rctx, NULL,
+ output_name, 0, memcache_type);
}
talloc_free(output_name);
diff --git a/src/responder/nss/nss_get_object.c b/src/responder/nss/nss_get_object.c
index 15faced006..bab817ab4a 100644
--- a/src/responder/nss/nss_get_object.c
+++ b/src/responder/nss/nss_get_object.c
@@ -109,12 +109,17 @@ memcache_delete_entry(struct nss_ctx *nss_ctx,
}
if (name != NULL) {
-ret = sized_output_name(NULL, rctx, name, dom, &sized_name);
-if (ret != EOK) {
-DEBUG(SSSDBG_OP_FAILURE,
- "Unable to create sized name [%d]: %s\n",
- ret, sss_strerror(ret));
-return ret;
+if (type == SSS_MC_INITGROUPS) {
+sized_name = talloc_zero(NULL, struct sized_string);
+to_sized_string(sized_name, name);
+} else {
+ret = sized_output_name(NULL, rctx, name, dom, &sized_name);
+if (ret != EOK) {
+DEBUG(SSSDBG_OP_FAILURE,
+"Unable to create sized name [%d]: %s\n",
+ret, sss_strerror(ret));
+return ret;
+}
}
ret = memcache_delete_entry_by_name(nss_ctx, sized_name, type);
From e9f7d71d169ed8aa81644b4db79b2bb2bbd1dee0 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek
Date: Mon, 23 Apr 2018 21:33:49 +0200
Subject: [PATCH 2/2] TESTS: Add tests for the sss_nss_getgrouplist_timeout
function
---
src/tests/intg/Makefile.am| 2 +
src/tests/intg/sssd_nss_ex.py | 86 +++
src/tests/intg/test_nss_ex.py | 261 ++
3 files changed, 349 insertions(+)
create mode 100644 src/tests/intg/sssd_nss_ex.py
create mode 100644 src/tests/intg/test_nss_ex.py
diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am
index 9c53382613..028fe8ed3c 100644
--- a/src/tests/intg/Makefile.am
+++ b/src/tests/intg/Makefile.am
@@ -3,6 +3,7 @@ dist_noinst_DATA = \
config.py.m4 \
util.py \
sssd_nss.py \
+sssd_nss_ex.py \
sssd_id.py \
sssd_ldb.py \
sssd_netgroup.py \
@@ -36,6 +37,7 @@ dist_noinst_DATA = \
data/ad_schema.ldif \
test_pysss_nss_idmap.py \
test_infopipe.py \
+test_nss_ex.py \
$(NULL)
EXTRA_DIST = data/cwrap-dbus-system.conf.in
diff --git a/src/tests/intg/sssd_nss_ex.py b/src/tests/intg/sssd_nss_ex.py
new file mode 100644
index 00..381f3cae34
--- /dev/null
+++ b/src/tests/intg/sssd_nss_ex.py
@@ -0,0 +1,86 @@
+#
+# Shared module for integration tests that need to access the sssd_nss_ex
+# interface directly
+#
+# Copyright (c) 2018 Red Hat, Inc.
+#
+# This is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 only
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see
[SSSD] [sssd PR#734][+Accepted] sss_client: minor fixes
URL: https://github.com/SSSD/sssd/pull/734 Title: #734: sss_client: minor fixes Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
